[gentoo-hardened] run_init + pipes

[Dustin C. Hatch]

I have been struggling to get my hardened systems managed by Ansible for
quite some time now. I have almost everything working well now, except
service control. It seems like the run_init stuff in OpenRC behaves
strangely when /sbin/rc-service is called via exec(),
stdin/stdout/stderr are connected to pipes, and the whole thing is run
through sudo. I suspect it has something to do with the way run_init
tries to prompt for credentials (even though I have that "disabled").

Here's what I've got set up:

-----------------

test-bd06fe ~ # grep -Ev '^#|^$' /etc/selinux/config
SELINUX=permissive
SELINUXTYPE=strict

test-bd06fe ~ # getenforce
Permissive

test-bd06fe ~ # cat /etc/pam.d/run_init
#%PAM-1.0
# Uncomment the next line if you do not want to enter your passwd everytime
auth       sufficient   pam_rootok.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    optional     pam_xauth.so

test-bd06fe ~ # cat /etc/sudoers.d/root
root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

test-bd06fe ~ # cat test2.py
import subprocess

p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'],
                     stdin=subprocess.PIPE,
                     stdout=subprocess.PIPE,
                     stderr=subprocess.PIPE)
o, e = p.communicate()
print('exitcode: {}'.format(p.returncode))
print('stdout: {}'.format(o))
print('stderr: {}'.format(e))

test-bd06fe ~ # python2.7 test2.py
exitcode: 0
stdout:  * Starting NFS sm-notify ... [ ok ]
 * Mounting NFS filesystems ... [ ok ]

stderr:

test-bd06fe ~ # rc-service nfsmount status
 * status: started

test-bd06fe ~ # rc-service nfsmount stop
 * Unmounting NFS filesystems ...
                                                          [ ok ]

test-bd06fe ~ # sudo python2.7 test2.py
exitcode: 0
stdout:
stderr:

test-bd06fe ~ # rc-service nfsmount status
 * status: stopped

-----------------

As you can see, this happens even when SELinux is not enforcing, so I
don't think it is policy related. I wonder if there is some way to stop
run_init from trying to prompt for authentication altogether, especially
when stdin/stdout/stderr is not a tty.

Any thoughts or pointers would be appreciated.

Thanks,

-- 
♫Dustin
http://dustin.hatch.name/